Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-11-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application crash leading to denial of service
Action: Patch
AI Analysis

Impact

A use‑after‑free weakness in the WebKit rendering engine causes memory corruption when an attacker supplies specially crafted web content. The resulting fault can terminate the rendering process, delivering a denial‑of‑service impact. As the flaw is a memory management bug (CWE‑416), it does not enable code execution but can disrupt user experience by crashing the browser or related apps.

Affected Systems

Apple Safari app, and the web‑browser framework embedded in iOS, iPadOS, macOS, tvOS, visionOS, and watchOS on all hardware that runs Safari and the WebKit engine. The flaw has been fixed in Safari 26.1, iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1; any older release exposes the vulnerability.

Risk and Exploitability

The common vulnerability scoring system rate the issue at 4.3, placing it in the medium severity range. Exploit probability is low, with an EPSS score of less than 1%. At present, the CVE is not in the CISA KEV catalog. The likely attack path involves an adversary serving malicious web pages that a user visits or an application that renders user‐controlled content, triggering the crash. No privileged context or escalation is required.

Generated by OpenCVE AI on April 22, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Safari 26.1 or newer or to the corresponding iOS, iPadOS, macOS, tvOS, visionOS, or watchOS 26.1 release that contains the WebKit patch
  • If an update is unavailable, disable or remove the affected WebKit component from the target device until a patch can be applied
  • Configure network–level or browser‑level content filtering to mitigate delivery of malicious web pages to users

Generated by OpenCVE AI on April 22, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4394-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6070-1 webkit2gtk security update
Ubuntu USN Ubuntu USN USN-7914-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash. A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash. A use-after-free issue was addressed with improved memory management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Sat, 22 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 05 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Apple tvos
Apple watchos
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Apple tvos
Apple watchos

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipad Os
Apple safari
Apple tv Os
Apple visionos
Apple watch Os
Vendors & Products Apple
Apple ios
Apple ipad Os
Apple safari
Apple tv Os
Apple visionos
Apple watch Os

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios Ipad Os Ipados Iphone Os Safari Tv Os Tvos Visionos Watch Os Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:56.632Z

Reserved: 2025-04-16T15:24:37.124Z

Link: CVE-2025-43432

cve-icon Vulnrichment

Updated: 2025-11-04T14:42:15.423Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:49.060

Modified: 2026-04-02T19:20:45.727

Link: CVE-2025-43432

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-20T00:00:00Z

Links: CVE-2025-43432 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses